第2节. 用户和组的权限管理
/etc/shaow字段说明
useradd -r ming
[09:19:15 root@localhost ~]#echo cisco | passwd --stdin ming
Changing password for user ming.
passwd: all authentication tokens updated successfully.
ming:$6$AUsIFTgTuY/hWn8Y$0PgiuhWLxBGeGRtbd/Niz5R1EsMRvV3gdSRT45jnXMyZisgBzcCybETswhJzuuUQeIPkO/gMzo3rKyXvRAE6h.:19008::::::
---上面是rocke-linux复制过来的---下面是centos-----
ming:$6$nfkcZ5x7$Le5WQnLSUiJbw2tdXiilhvVZFGy69iuzKQq2XoA84jrHtrOp8fwQgMyunGIt1wQimPf37xdUL7B6rCOvpSaDE0:19008:0:99999:7:::
[root@centos7 ~]#
这些字段的帮助信息可通过man 5 shadow获得
$6 :表示sha512
$1 :表示md5
👇注意第一个时间字段=0的特殊功效,就是首次登入修改密码
你改口令的时间距离1970-1-1号的时间
date of last password change
The date of the last password change, expressed as the number of days since Jan 1, 1970.
The value 0 has a special meaning, which is that the user should change her pasword the next time she will log in the
system.
An empty field means that password aging features are disabled. # 这句其实不对,该字段为空,后面设置了超时,实际还是超的
[09:25:26 root@localhost ~]#echo `date +%s`/86400 |bc
19008
这就是上图ming用户的19008的由来
minimum password age
用户必须等多久才能修改口令,0就是可以立即修改密码,以天为单位,centos8里默认是0,rocke-linux默认为空
maximum password age
用户不改密码,密码多久到期,以天为单位,centos8默认99999,rocke-linux/centos7默认为空
password warning period
上面的最大密码时间意味着过期,而过期前提前7天会提醒你修改密码,但是实际情况是提前6天,因为那个提前的第7天是也可继续用的,而且时间是当天8点0分0秒作为天数24小时去算的,可能是GTM+8估计。估计这2个小点就可以问住一拨人
[root@centos7 ~]# date -s "+5 day" # 这个必须root才能修改成功 Fri Jan 21 09:40:55 CST 2022 [root@centos7 ~]# date
然后再将本地时间延后10天,此时在用ming登入看看
[root@centos7 ~]# date -s "+5 day" Wed Jan 26 09:44:25 CST 2022 [root@centos7 ~]# date -s "+5 day" Mon Jan 31 09:45:03 CST 2022 [root@centos7 ~]#
password inactivity period
围绕着密码过期时间--maximum password age,如果超过这个时间X天就禁用该账号,这个X就是password inactivity period的意思。
ming:$6$nfkcZ5x7$Le5WQnLSUiJbw2tdXiilhvVZFGy69iuzKQq2XoA84jrHtrOp8fwQgMyunGIt1wQimPf37xdUL7B6rCOvpSaDE0:19008:0:10:7:5::
account expiration date
账户有效期,前面都是针对密码过期的,这个参数是针对账号的
注意这里和前一张图的区别,已经不再说authentication的事了,直接说的事账号挂了。
/etc/group和/etc/gshadow
dbus:x:81:
polkitd:x:998:
ssh_keys:x:997:
sshd:x:74:
postdrop:x:90:
postfix:x:89:
user1:x:1000:
ming:x:1001:
[root@centos7 ~]# cat /etc/group
systemd-journal:!::
systemd-network:!::
dbus:!::
polkitd:!::
ssh_keys:!::
sshd:!::
postdrop:!::
postfix:!::
user1:!::
ming:!::
[root@centos7 ~]# cat /etc/gshadow
组设置口令是给普通用户加组的权限,
附加组显示在/etc/group里的行最后一个字段
ming:x:1001:user1
user1用户就加入进了ming这个组,ming就是user1的附加组
/etc/gshadow 存放组口令的文件
ming:!!::user1,user2,user3
!!组密码禁用的,不能通过组口令来往里加成员,只能是root管理了
::里放的是管理员账号,每个组可以设置管理员,用来添加删除组成员,默认为空就只有root管理
user1,user2,user3就是和/etc/group一样,加入该组的成员就罗列在这里
随机口令的产生
[root@centos7 ~]# openssl rand -base64 9
rvgumQ+4U67t
[root@centos7 ~]# openssl rand -base64 9
328culZ3wpV1
[root@centos7 ~]# yum -y install expect
查看man手册:
FLAGS
The -l flag defines the length of the password. The default is 9. The following example creates a 20 character
password.
mkpasswd -l 20
The -d flag defines the minimum number of digits that must be in the password. The default is 2. The following
example creates a password with at least 3 digits.
mkpasswd -d 3
The -c flag defines the minimum number of lowercase alphabetic characters that must be in the password. The default
is 2.
The -C flag defines the minimum number of uppercase alphabetic characters that must be in the password. The default
is 2.
EXAMPLE
The following example creates a 15-character password that contains at least 3 digits and 5 uppercase characters.
mkpasswd -l 15 -d 3 -C 5
[root@centos7 ~]# mkpasswd -l 15 -d 3 -C 5
\Dpbel2VZa8Dv9W
[root@centos7 ~]# mkpasswd -l 15 -d 3 -C 5
m0hsZaXZ*O1Dap9
[root@centos7 ~]# mkpasswd -l 15 -d 3 -C 5
zBfuS0evQP6x1H/
C:\Users\MingYi>net accounts
强制用户在时间到期之后多久必须注销?: 从不
密码最短使用期限(天): 0
密码最长使用期限(天): 42
密码长度最小值: 0
保持的密码历史记录长度: None
锁定阈值: 从不
锁定持续时间(分): 30
锁定观测窗口(分): 30
计算机角色: WORKSTATION
命令成功完成。
真要改这个时间,不推荐上文的直接修改/etc/shadow,而是用命令去改
[12:33:30 root@localhost ~]#chage ming
Changing the aging information for ming
Enter the new value, or press ENTER for the default
Minimum Password Age [-1]: 2
Maximum Password Age [-1]: 33
Last Password Change (YYYY-MM-DD) [2022-01-16]:
Password Expiration Warning [-1]: 7
Password Inactive [-1]:
Account Expiration Date (YYYY-MM-DD) [-1]: 2023-01-16
[12:34:26 root@localhost ~]#
----改时间----
这里rockety-linux还弄出个-1出来,呵呵,反正估计也是不限制的意思
[12:36:06 root@localhost ~]#getent shadow ming
ming:$6$AUsIFTgTuY/hWn8Y$0PgiuhWLxBGeGRtbd/Niz5R1EsMRvV3gdSRT45jnXMyZisgBzcCybETswhJzuuUQeIPkO/gMzo3rKyXvRAE6h.:19008:2:33:7::19373:
[12:36:13 root@localhost ~]#
[12:36:26 root@localhost ~]#getent passwd ming
ming:x:992:988::/home/ming:/bin/bash
[12:36:34 root@localhost ~]#
[12:36:36 root@localhost ~]#getent group ming
ming:x:988:
[12:36:48 root@localhost ~]#getent gshadow ming
ming:!::
[12:36:53 root@localhost ~]#
[12:36:54 root@localhost ~]#getent passwd ming root
ming:x:992:988::/home/ming:/bin/bash
root:x:0:0:root:/root:/bin/bash
[12:37:02 root@localhost ~]#
vipw和vigr 编辑passwd和group的推荐命令
pwck和grpck 检查passwd和group的命令
[12:38:19 root@localhost ~]#pwck
[user 'cockpit-ws': directory '/nonexisting' does not exist
user 'cockpit-wsinstance': directory '/nonexisting' does not exist
user 'ming': directory '/home/ming' does not exist
pwck: no changes
[12:39:02 root@localhost ~]#grpck
[12:39:11 root@localhost ~]#ll /home/
total 0
groupadd 创建组
创建组
[13:39:41 root@localhost ~]#groupadd admins
[13:39:50 root@localhost ~]#getent group admins
admins:x:1000:
[13:40:00 root@localhost ~]#
创建系统组
[13:40:46 root@localhost ~]#groupadd -r mysql
[13:40:50 root@localhost ~]#
[13:40:52 root@localhost ~]#getent group mysql
mysql:x:987:
[13:40:55 root@localhost ~]#
修改组名
[13:42:45 root@localhost ~]#getent group admins
admins:x:1000:
[13:42:50 root@localhost ~]#groupmod -n mgmt admins
[13:42:56 root@localhost ~]#getent group mgmt
mgmt:x:1000:
删除组
[13:44:06 root@localhost ~]#getent group mgmt
mgmt:x:1000:
[13:44:08 root@localhost ~]#getent group mysql
mysql:x:987:
[13:44:10 root@localhost ~]#groupdel mgmt
[13:44:18 root@localhost ~]#groupdel mysql
[13:44:20 root@localhost ~]#getent group mysql
[13:44:23 root@localhost ~]#getent group mgmt
删不掉组的原因
[13:49:33 root@localhost ~]#groupdel ming
groupdel: cannot remove the primary group of user 'ming'
是因为有用户将ming作为主组,这个用户就是ming自己。是useradd创建ming的时候自动生成的主组。
[13:49:43 root@localhost ~]#useradd ming2
[13:51:05 root@localhost ~]#getent group ming2
ming2:x:1000:
[13:51:23 root@localhost ~]#groupdel ming2
groupdel: cannot remove the primary group of user 'ming2'
[13:51:32 root@localhost ~]#userdel ming2
[13:51:39 root@localhost ~]#getent group ming2
[13:51:45 root@localhost ~]#ll /home/
total 0
drwx------. 2 1000 1000 62 Jan 16 13:51 ming2
userdel 删除用户连带组,但不会连带家目录,所以关于创建用户和删除用户的时候要注意家目录是否连带生成和删除
man useradd
-r, --system
Create a system account.
System users will be created with no aging information in /etc/shadow, and their numeric identifiers are chosen
in the SYS_UID_MIN-SYS_UID_MAX range, defined in /etc/login.defs, instead of UID_MIN-UID_MAX (and their GID
counterparts for the creation of groups).
Note that useradd will not create a home directory for such a user, regardless of the default setting in
/etc/login.defs (CREATE_HOME). You have to specify the -m options if you want a home directory for a system
account to be created.
man userdel
-f, --force
This option forces the removal of the user account, even if the user is still logged in. It also forces userdel
to remove the user's home directory and mail spool, even if another user uses the same home directory or if the
mail spool is not owned by the specified user. If USERGROUPS_ENAB is defined to yes in /etc/login.defs and if a
group exists with the same name as the deleted user, then this group will be removed, even if it is still the
primary group of another user.
Note: This option is dangerous and may leave your system in an inconsistent state.
-h, --help
Display help message and exit.
-r, --remove
Files in the user's home directory will be removed along with the home directory itself and the user's mail
spool. Files located in other file systems will have to be searched for and deleted manually.
The mail spool is defined by the MAIL_DIR variable in the login.defs file.
[14:01:12 root@localhost ~]#useradd ming2
useradd: warning: the home directory already exists.
Not copying any file from skel directory into it.
Creating mailbox file: File exists
[14:01:18 root@localhost ~]#
[14:01:18 root@localhost ~]#
[14:01:18 root@localhost ~]#getent passwd ming2
ming2:x:1000:1000::/home/ming2:/bin/bash
[14:01:22 root@localhost ~]#
[14:01:23 root@localhost ~]#ll /home/
total 0
drwx------. 2 ming2 ming2 62 Jan 16 13:51 ming2
[14:01:25 root@localhost ~]#
[14:01:26 root@localhost ~]#userdel -r ming2
[14:01:30 root@localhost ~]#ll /home/
total 0
[14:01:32 root@localhost ~]#getent passwd ming2
[14:01:39 root@localhost ~]#getent group ming2
[14:01:43 root@localhost ~]#
用户创建管理
[14:03:53 root@localhost ~]#rpm -q --scripts postfix
preinstall scriptlet (using /bin/sh):
# Add user and groups if necessary
/usr/sbin/groupadd -g 90 -r postdrop 2>/dev/null
/usr/sbin/groupadd -g 89 -r postfix 2>/dev/null
/usr/sbin/groupadd -g 12 -r mail 2>/dev/null
/usr/sbin/useradd -d /var/spool/postfix -s /sbin/nologin -g postfix -G mail -M -r -u 89 postfix 2>/dev/null
-------------------------
-g 90 gid
-r 指定为系统组
useradd的选项学习
/usr/sbin/useradd -d /var/spool/postfix -s /sbin/nologin -g postfix -G mail -M -r -u 89 postfix 2>/dev/null
-u 89 : 指定用户UID为89
-s : 指定shell类型
-o : 忽略uid唯一性的检查
[14:12:58 root@localhost ~]#getent passwd root
root:x:0:0:root:/root:/bin/bash
[14:13:09 root@localhost ~]#useradd -u 0 ming3
useradd: UID 0 is not unique
[14:13:20 root@localhost ~]#getent passwd ming3
[14:13:36 root@localhost ~]#useradd -u 0 -o ming3
[14:13:42 root@localhost ~]#getent passwd ming3
ming3:x:0:1000::/home/ming3:/bin/bash
[14:13:43 root@localhost ~]#getent passwd root
root:x:0:0:root:/root:/bin/bash
[14:14:47 root@localhost ~]#id root
uid=0(root) gid=0(root) groups=0(root)
[14:14:49 root@localhost ~]#id ming3
uid=0(root) gid=0(root) groups=0(root)
[14:14:51 root@localhost ~]#
创建系统服务,
[14:18:18 root@localhost ~]#useradd -r -s /sbin/nologin mysql
[14:18:26 root@localhost ~]#getent passwd mysql
mysql:x:991:987::/home/mysql:/sbin/nologin
默认行为是useradd不指定主组,就会自动创建和用户名同名的主组
[14:21:35 root@localhost ~]#useradd alice
[14:21:48 root@localhost ~]#id alice
uid=1000(alice) gid=1000(alice) groups=1000(alice)
通过-g指定主组,就不会自动创建主组了,指定的组要事先存在
[14:22:33 root@localhost ~]#useradd tom -g alice [14:22:58 root@localhost ~]#id tom uid=1001(tom) gid=1000(alice) groups=1000(alice)
-G 是附加组
[14:24:10 root@localhost ~]#groupadd g1
[14:24:13 root@localhost ~]#groupadd g2
[14:24:21 root@localhost ~]#groupadd g3
[14:24:23 root@localhost ~]#
[14:24:24 root@localhost ~]#useradd jack -g alice -G g1,g2
[14:24:44 root@localhost ~]#id jack
uid=1002(jack) gid=1000(alice) groups=1000(alice),1001(g1),1002(g2)
[14:26:44 root@localhost ~]#getent group | grep jack
g1:x:1001:jack
g2:x:1002:jack
[14:26:49 root@localhost ~]#getent gshadow | grep jack
g1:!::jack
g2:!::jack
[14:26:55 root@localhost ~]#
-N 不创建同名的主组,也不指定,就默认创建一个users
[14:28:06 root@localhost ~]#useradd rose -N
[14:28:15 root@localhost ~]#id rose
uid=1003(rose) gid=100(users) groups=100(users)
[14:28:18 root@localhost ~]#
看下windows的创建用户的默认行为,默认就是和linux的useradd -N一样的,都是将新建用户放到users组下面。
C:\WINDOWS\system32>net user test001 passwd001 /add
命令成功完成。
C:\WINDOWS\system32>net user
\\DESKTOP-5T7A4A1 的用户帐户
-------------------------------------------------------------------------------
___VMware_Conv_SA___ admin Administrator
ciscoacvpnuser DefaultAccount Guest
MingYi named test001
WDAGUtilityAccount
命令成功完成。
C:\WINDOWS\system32>net localgroup users
别名 users
注释 防止用户进行有意或无意的系统范围的更改,但是可以运行大部分应用程序
成员
-------------------------------------------------------------------------------
NT AUTHORITY\Authenticated Users
NT AUTHORITY\INTERACTIVE
test001
命令成功完成。
C:\WINDOWS\system32>net user
\\DESKTOP-5T7A4A1 的用户帐户
-------------------------------------------------------------------------------
___VMware_Conv_SA___ admin Administrator
ciscoacvpnuser DefaultAccount Guest
MingYi named test001
WDAGUtilityAccount
命令成功完成。
C:\WINDOWS\system32>net user test001 /del
命令成功完成。
C:\WINDOWS\system32>net user
\\DESKTOP-5T7A4A1 的用户帐户
-------------------------------------------------------------------------------
___VMware_Conv_SA___ admin Administrator
ciscoacvpnuser DefaultAccount Guest
MingYi named WDAGUtilityAccount
命令成功完成。
关于家目录
不带家目录的方式,useradd -r -s /sbin/nologin mysql
[14:35:33 root@localhost ~]#getent passwd | tail -5
mysql:x:991:987::/home/mysql:/sbin/nologin
alice:x:1000:1000::/home/alice:/bin/bash
tom:x:1001:1000::/home/tom:/bin/bash
jack:x:1002:1000::/home/jack:/bin/bash
rose:x:1003:100::/home/rose:/bin/bash
[14:35:38 root@localhost ~]#ll /home/
total 0
drwx------. 2 alice alice 62 Jan 16 14:21 alice
drwx------. 2 jack alice 62 Jan 16 14:24 jack
drwx------. 2 rose users 62 Jan 16 14:28 rose
drwx------. 2 tom alice 62 Jan 16 14:22 tom
[14:35:43 root@localhost ~]#
指定创建家目录
[14:43:13 root@localhost ~]#useradd -d /data/jerryhome jerry
[14:43:18 root@localhost ~]#ll /data/jerryhome/ -d
drwx------. 2 jerry jerry 62 Jan 16 14:43 /data/jerryhome/
[14:43:29 root@localhost ~]#id jerry
uid=1004(jerry) gid=1004(jerry) groups=1004(jerry)
[14:43:32 root@localhost ~]#
有个奇怪的行为,就是创建用户的时候指定家目录,但是并不创建
[14:46:22 root@localhost ~]#useradd -d /data/xiaohong -M xiaohong
[14:46:36 root@localhost ~]#id xiaohong
uid=1005(xiaohong) gid=1005(xiaohong) groups=1005(xiaohong)
[14:46:38 root@localhost ~]#ll /data/xiao*
ls: cannot access '/data/xiao*': No such file or directory
还有与之相反的思路,useradd -r是系统用户不会创建家目录,-m就是会创建了
[14:47:50 root@localhost ~]#useradd -r zhangsan
[14:48:09 root@localhost ~]#id zhangsan
uid=990(zhangsan) gid=986(zhangsan) groups=986(zhangsan)
[14:48:10 root@localhost ~]#ll /home/
total 0
drwx------. 2 alice alice 62 Jan 16 14:21 alice
drwx------. 2 jack alice 62 Jan 16 14:24 jack
drwx------. 2 rose users 62 Jan 16 14:28 rose
drwx------. 2 tom alice 62 Jan 16 14:22 tom
[14:48:14 root@localhost ~]#
[14:48:14 root@localhost ~]#useradd -r lisi -m
[14:48:33 root@localhost ~]#ll /home/lisi/ -d
drwx------. 2 lisi lisi 62 Jan 16 14:48 /home/lisi/
[14:48:38 root@localhost ~]#
[14:49:16 root@localhost ~]#useradd -r -m -d /data/ada ada
[14:49:20 root@localhost ~]#ll /data/ada -d
drwx------. 2 ada ada 62 Jan 16 14:49 /data/ada
[14:49:24 root@localhost ~]#id ada
uid=988(ada) gid=988(ada) groups=988(ada)
[14:49:26 root@localhost ~]#
-c : 描述信息,有点用的,讲究人士的专用
[14:51:48 root@localhost ~]#useradd -c "sbZhuanYong" sb001
[14:52:21 root@localhost ~]#getent passwd sb001
sb001:x:1006:1006:sbZhuanYong:/home/sb001:/bin/bash
[14:52:26 root@localhost ~]#
如果是centos可以yum -y install finger然后查看用户描述信息,rokey-linux好像yum不了finger,yum源rocky的里面貌似没有finger 的rpm包。
[root@centos7 ~]# useradd -c 'dalaozhuanyong' dalao001
[root@centos7 ~]# getent passwd dalao001
dalao001:x:1002:1002:dalaozhuanyong:/home/dalao001:/bin/bash
[root@centos7 ~]#
[root@centos7 ~]# finger dalao001
Login: dalao001 Name: dalaozhuanyong
Directory: /home/dalao001 Shell: /bin/bash
Never logged in.
No mail.
No Plan.
[root@centos7 ~]#
-----改描述------desc---------
[root@centos7 ~]# chfn dalao001
Changing finger information for dalao001.
Name [dalaozhuanyong]:
Office []: !wgame
Office Phone []: 110
Home Phone []: 110
Finger information changed.
[root@centos7 ~]# finger dalao001
Login: dalao001 Name: dalaozhuanyong
Directory: /home/dalao001 Shell: /bin/bash
Office: !wgame, 110 Home Phone: 110
Never logged in.
No mail.
No Plan.
[root@centos7 ~]# getent passwd dalao001
dalao001:x:1002:1002:dalaozhuanyong,!wgame,110,110:/home/dalao001:/bin/bash
[root@centos7 ~]#
所以人家postfix的安装后或者前,跑的脚本里的useradd就能理解了
[root@centos7 ~]# rpm -q --scripts postfix
preinstall scriptlet (using /bin/sh):
# Add user and groups if necessary
/usr/sbin/groupadd -g 90 -r postdrop 2>/dev/null
/usr/sbin/groupadd -g 89 -r postfix 2>/dev/null
/usr/sbin/groupadd -g 12 -r mail 2>/dev/null
/usr/sbin/useradd -d /var/spool/postfix -s /sbin/nologin -g postfix -G mail -M -r -u 89 postfix 2>/dev/null
[15:08:55 root@localhost yum.repos.d]#yum -y remove postfix
[15:10:09 root@localhost yum.repos.d]#groupadd -r postfix
[15:11:58 root@localhost yum.repos.d]#groupadd postfix-1
[15:12:02 root@localhost yum.repos.d]#
[15:12:03 root@localhost yum.repos.d]#getent group postfix
postfix:x:984:
[15:12:09 root@localhost yum.repos.d]#getent group postfix-1
postfix-1:x:1007:
[15:12:12 root@localhost yum.repos.d]#
[15:12:16 root@localhost yum.repos.d]#id postfix
id: ‘postfix’: no such user
[15:12:19 root@localhost yum.repos.d]#/usr/sbin/useradd -d /var/spool/postfix -s /sbin/nologin -g postfix -G mail -M -r -u 89 postfix
[15:12:23 root@localhost yum.repos.d]#id postfix
uid=89(postfix) gid=984(postfix) groups=984(postfix),12(mail)
[15:12:28 root@localhost yum.repos.d]#ll /home/pos*
ls: cannot access '/home/pos*': No such file or directory
[15:12:33 root@localhost yum.repos.d]#ll /var/spool/pos*
ls: cannot access '/var/spool/pos*': No such file or directory
[15:12:43 root@localhost yum.repos.d]#
其实-M没有意义,就是保险,-r本身就不会创建家目录。
注意下,不管是不是需要userdel -r 加不加r都要去确认下家目录是否真的删除,因为我操作时候发现有时候不加-r,好像也是把家目录删了。这个是在rockey-linux上操作的。
默认useradd的行为有文件定义的
[15:25:22 root@localhost ~]#cat /etc/default/useradd
# useradd defaults file
GROUP=100
HOME=/home
INACTIVE=-1
EXPIRE=
SHELL=/bin/bash
SKEL=/etc/skel
CREATE_MAIL_SPOOL=yes
[15:25:27 root@localhost ~]#getent group users
users:x:100:
[15:26:08 root@localhost ~]#
GROUP = 100 默认useradd -N 不创建主组的时候,自动加到users主组里,这个行为就是GROUP=100设置的。
INACTIVE=-1 默认用密码过期后 是否给宽限期,默认是永远宽限。
HOME=/home 默认家目录在哪
CREATE_MAIL_SPOOL=yes 默认用户创建的时候创建它的邮箱,
[15:26:08 root@localhost ~]#ll /var/spool/mail/
total 0
-rw-rw----. 1 alice mail 0 Jan 16 14:21 alice
-rw-rw----. 1 jack mail 0 Jan 16 14:24 jack
-rw-rw----. 1 jerry mail 0 Jan 16 14:43 jerry
-rw-rw----. 1 rose mail 0 Jan 16 14:28 rose
-rw-rw----. 1 sb001 mail 0 Jan 16 14:52 sb001
-rw-rw----. 1 tom mail 0 Jan 16 14:22 tom
-rw-rw----. 1 xiaohong mail 0 Jan 16 14:46 xiaohong
SKEL=/etc/skel 默认创建家目录里的隐藏文件的由来
[15:33:50 root@localhost ~]#ls -a /etc/skel/
. .. .bash_logout .bash_profile .bashrc
[15:33:53 root@localhost ~]#
所以如果需要创建用户,生成的家目录里自动带上什么文件,就有办法了
[15:36:42 root@localhost ~]#ls -a /etc/skel
. .. .bash_logout .bash_profile .bashrc
[15:36:51 root@localhost ~]#
[15:37:01 root@localhost ~]#ls -a /home/
alice/ jack/ lisi/ rose/ sb001/ tom/
[15:37:01 root@localhost ~]#ls -a /home/alice/
. .. .bash_logout .bash_profile .bashrc
[15:37:13 root@localhost ~]#touch /etc/skel/.vimrc
[15:37:22 root@localhost ~]#ls -a /etc/skel/
. .. .bash_logout .bash_profile .bashrc .vimrc
[15:37:32 root@localhost ~]#useradd test-1
[15:37:43 root@localhost ~]#ls -a /home/test-1/
. .. .bash_logout .bash_profile .bashrc .vimrc
[15:37:49 root@localhost ~]#
还有个默认行为文件
[15:43:09 root@localhost ~]#cat /etc/login.defs | grep -Ev "^#|^$"
MAIL_DIR /var/spool/mail
UMASK 022
HOME_MODE 0700
PASS_MAX_DAYS 99999 # 口令最大有效期
PASS_MIN_DAYS 0 # 口令修改无需等待直接改
PASS_MIN_LEN 5 # 口令最短5个
PASS_WARN_AGE 7
UID_MIN 1000 # 默认普通用户UID从1000开始,就是这里设置的
UID_MAX 60000 # 这里的1000和60000都是自动的范围,手动除外
SYS_UID_MIN 201 # 系统UID自动范围
SYS_UID_MAX 999 # 系统UID自动范围
GID_MIN 1000
GID_MAX 60000
SYS_GID_MIN 201
SYS_GID_MAX 999
CREATE_HOME yes
USERGROUPS_ENAB yes
ENCRYPT_METHOD SHA512 # 默认的哈希算法,/etc/passwd里的$6
[15:43:16 root@localhost ~]#
root 不受上述配置的限制
所以默认新建用户的相关文件如下
[15:51:36 root@localhost ~]#ll /etc/default/useradd -d
-rw-r--r--. 1 root root 119 Aug 19 03:04 /etc/default/useradd
[15:51:40 root@localhost ~]#ll /etc/skel -d
drwxr-xr-x. 2 root root 76 Jan 16 15:37 /etc/skel
[15:51:44 root@localhost ~]#ll /etc/login.defs -d
-rw-r--r--. 1 root root 2512 Aug 19 03:04 /etc/login.defs
/etc/default/useradd也可以用useradd -D查看
[15:53:09 root@localhost ~]#useradd -D
GROUP=100
HOME=/home
INACTIVE=-1
EXPIRE=
SHELL=/bin/bash
SKEL=/etc/skel
CREATE_MAIL_SPOOL=yes
[15:54:10 root@localhost ~]#cat /etc/default/useradd
# useradd defaults file
GROUP=100
HOME=/home
INACTIVE=-1
EXPIRE=
SHELL=/bin/bash
SKEL=/etc/skel
CREATE_MAIL_SPOOL=yes
1、直接修改文件
2、通过useradd修改
useradd -D -s SHELL类型
useradd -D -b BASE_DIR/home
useradd -D -g GROUP默认useradd -N所带的组
[15:54:10 root@localhost ~]#cat /etc/default/useradd
# useradd defaults file
GROUP=100
HOME=/home
INACTIVE=-1
EXPIRE=
SHELL=/bin/bash
SKEL=/etc/skel
CREATE_MAIL_SPOOL=yes
[15:54:22 root@localhost ~]#useradd -D -g 1000
[16:01:36 root@localhost ~]#cat /etc/default/useradd
# useradd defaults file
GROUP=1000
HOME=/home
INACTIVE=-1
EXPIRE=
SHELL=/bin/bash
SKEL=/etc/skel
CREATE_MAIL_SPOOL=yes
[16:01:37 root@localhost ~]#
批量操作
newusers # passwd格式文件 批量创建用户
chpasswd # 批量修改用户口令
将/etc/passwd文件里的格式复制出来,放入单个文件,然后到别的机器上newusers xxx即可创建
user1:x:1008:1009::/home/user1:/bin/bash
user2:x:1009:1010::/home/user2:/bin/bash
user3:x:1010:1011::/home/user3:/bin/bash
user4:x:1011:1012::/home/user4:/sbin/nologin
[13:58:02 root@localhost ~]#getent passwd
-----看下👇创建的具体过程----------
[root@centos7 ~]# cat addusers
user1:x:1008:1009::/home/user1:/bin/bash
user2:x:1009:1010::/home/user2:/bin/bash
user3:x:1010:1011::/home/user3:/bin/bash
user4:x:1011:1012::/home/user4:/sbin/nologin
[root@centos7 ~]# newusers addusers
newusers: line 5: invalid line
newusers: line 6: invalid line
newusers: error detected, changes ignored
[root@centos7 ~]# cat addusers -n
1 user1:x:1008:1009::/home/user1:/bin/bash
2 user2:x:1009:1010::/home/user2:/bin/bash
3 user3:x:1010:1011::/home/user3:/bin/bash
4 user4:x:1011:1012::/home/user4:/sbin/nologin
5
6
[root@centos7 ~]#
---------👆可惜报错鸟------------
删掉多余的空行后,尝试👇-----------
[root@centos7 ~]# cat addusers
user1:x:1008:1009::/home/user1:/bin/bash
user2:x:1009:1010::/home/user2:/bin/bash
user3:x:1010:1011::/home/user3:/bin/bash
user4:x:1011:1012::/home/user4:/sbin/nologin
[root@centos7 ~]#
[root@centos7 ~]# newusers addusers
[root@centos7 ~]# getent passwd |grep user*
user1:x:1000:1000::/home/user1:/bin/bash
user2:x:1009:1010::/home/user2:/bin/bash
user3:x:1010:1011::/home/user3:/bin/bash
user4:x:1011:1012::/home/user4:/sbin/nologin
[root@centos7 ~]#
-------------然后再批量改口令方法1👇--------------
[root@centos7 ~]# chpasswd
user1:cisco # ctrl d安全退出才能生效
[root@centos7 ~]# getent shadow user1
user1:$6$dR6ZP/lQ5aA$V6xJwgibZELgZh2NKOVDSez8CTzw6h05NX.n/Ft4ZpGtlVNfNEpkpTFRdZqkSQWKKgeZ/BxKgfSm2BRcFaMgo0:19029:0:99999:7:::
[root@centos7 ~]# chpasswd
user1:huawei
^C # 不能ctrl c强制退出
[root@centos7 ~]# getent shadow user1
user1:$6$dR6ZP/lQ5aA$V6xJwgibZELgZh2NKOVDSez8CTzw6h05NX.n/Ft4ZpGtlVNfNEpkpTFRdZqkSQWKKgeZ/BxKgfSm2BRcFaMgo0:19029:0:99999:7:::
[root@centos7 ~]#
------👆注意没截图就是方便后面搜索,但是要小心失真丢东西,这里是ctrl C强制退出,所以没改成功,很多这种交互式的配置都需要ctrl +d 退出。---------
----非交互式配置方式👇------
[root@centos7 ~]# echo user1:lianxiang |chpasswd
[root@centos7 ~]# getent shadow user1
user1:$6$A55IfCFmc$aJPxuWvGRvpTzNocXonzz/gEZTEjV7y3qcHSWEPvxZg1IfA0EUrXMMBpOsw9DXodx4KQ1yCa8SZCTiQtvDYu50:19029:0:99999:7:::
[root@centos7 ~]#
---------批量改的方法👇---改口令1----------
[root@centos7 ~]# vi p.set
[root@centos7 ~]# cat p.set
user1:centos
user2:cisco
user3:huawei
[root@centos7 ~]# cat p.set |chpasswd
[root@centos7 ~]# getent shadow user1
user1:$6$PFoqG/41wd3x$PDCFFjFD84xNc2t4je5119lP.ifsTyspYRGnbP4Bx0QpP/9XRd4s9vUFICbEdoDv3pOd7y/7PBLuBsE6EXhwu/:19029:0:99999:7:::
[root@centos7 ~]# getent shadow user2
user2:$6$0ilWD/oW7CN$IdC6Gz0.eJKdPBWuGx4KJR00GBrjoxE8KWtCp9lurmP1TaCQGcUra5.VscBTQZ5Um0lKYZO.qb6/fNyYiey0s1:19029:0:99999:7:::
[root@centos7 ~]# getent shadow user3
user3:$6$Uv41MY/y9$Q1251b9f9CPX5/sQ1aDhITVsl9pbKEXJspkV4uib/ugaCAlMfg9/Xy4WJBdyq56SJF4k5YuIc0muouxLpi61T0:19029:0:99999:7:::
[root@centos7 ~]#
查看id
[root@centos7 ~]# id user1
uid=1000(user1) gid=1000(user1) groups=1000(user1)
[root@centos7 ~]# id -u user1
1000
[root@centos7 ~]# id -g user1
1000
[root@centos7 ~]# id -G user1
1000
[root@centos7 ~]# id -n user1
id: cannot print only names or real IDs in default format
[root@centos7 ~]# id -ng user1
user1
[root@centos7 ~]# id -ngG user1
id: cannot print "only" of more than one choice
[root@centos7 ~]# id -nG user1
user1
usermod修改用户
[16:04:46 root@localhost ~]#id jack
uid=1002(jack) gid=1000(alice) groups=1000(alice),1001(g1),1002(g2)
[16:04:48 root@localhost ~]#usermod -g sb001 jack # 修改主组
[16:04:56 root@localhost ~]#id jack
uid=1002(jack) gid=1006(sb001) groups=1006(sb001),1001(g1),1002(g2)
[16:04:58 root@localhost ~]#usermod -G root jack # -G附加组要注意是覆盖性操作
[16:05:11 root@localhost ~]#id jack
uid=1002(jack) gid=1006(sb001) groups=1006(sb001),0(root)
[16:05:13 root@localhost ~]#
需要用到-aG,-a只能配合G用,因为其他属性不存在多个值。
[16:05:11 root@localhost ~]#id jack
uid=1002(jack) gid=1006(sb001) groups=1006(sb001),0(root)
[16:06:01 root@localhost ~]#usermod -aG g1,g2,g3 jack
[16:06:12 root@localhost ~]#id jack
uid=1002(jack) gid=1006(sb001)
groups=1006(sb001),1001(g1),1002(g2),1003(g3),0(root)
空口令登入方法
关联用户锁定,就是不需要输入密码进行登入
修改/etc/shadow里的两个!!,没设置密码,就是两个!!
[11:38:54 root@localhost ~]#cat /etc/shadow |grep lisi
lisi:!!:19008::::::
[11:38:59 root@localhost ~]#vi /etc/shadow
][11:39:14 root@localhost ~]#cat /etc/shadow |grep lisi
lisi::19008::::::
修改/etc/passwd里的x拿掉,效果一样,无需密码,x就是占位,表示密码放在了/etc/shadow里。
[11:47:43 root@localhost ~]#cat /etc/passwd |grep sb001
sb001:x:1006:1006:sbZhuanYong:/home/sb001:/bin/bash
[11:47:44 root@localhost ~]#vi /etc/passwd
[11:48:00 root@localhost ~]#cat /etc/passwd |grep sb001
sb001::1006:1006:sbZhuanYong:/home/sb001:/bin/bash
注意这个好像没用了
锁定用户
[root@centos7 ~]# useradd test
[root@centos7 ~]# getent passwd test
test:x:1003:1003::/home/test:/bin/bash
[root@centos7 ~]# getent shadow test
test:!!:19029:0:99999:7::: # 新创建的用户是被锁定的
[root@centos7 ~]# getent group test
test:x:1003:
[root@centos7 ~]# getent gshadow test
test:!::
-------↓--------设置密码后的变化------↓---------
[root@centos7 ~]# echo cisco |passwd --stdin test
Changing password for user test.
passwd: all authentication tokens updated successfully.
[root@centos7 ~]# getent passwd test
test:x:1003:1003::/home/test:/bin/bash
[root@centos7 ~]# getent shadow test
test:$6$QexkrOWQ$3e85TAtRmiYEMioZOU8QJ7qaD0xCP2lW4Dposctg7evJMRZy3kseNQXD.C21lKtXtqFnzGEhCnbiFq7yI4c5H.:19029:0:99999:7:::
[root@centos7 ~]# getent group test
test:x:1003:
[root@centos7 ~]# getent gshadow test
test:!::
-------👇------加锁后的变化----------
[root@centos7 ~]# usermod -L test
[root@centos7 ~]# getent passwd test
test:x:1003:1003::/home/test:/bin/bash
[root@centos7 ~]# getent shadow test
test:!$6$QexkrOWQ$3e85TAtRmiYEMioZOU8QJ7qaD0xCP2lW4Dposctg7evJMRZy3kseNQXD.C21lKtXtqFnzGEhCnbiFq7yI4c5H.:19029:0:99999:7::: # 锁是加在shadow里
[root@centos7 ~]# getent group test
test:x:1003:
[root@centos7 ~]# getent gshadow test
test:!:: #gshadow这里一直都是这样的
[root@centos7 ~]#
------👇----解锁------
[root@centos7 ~]# usermod -U test
[root@centos7 ~]# getent shadow test
test:$6$QexkrOWQ$3e85TAtRmiYEMioZOU8QJ7qaD0xCP2lW4Dposctg7evJMRZy3kseNQXD.C21lKtXtqFnzGEhCnbiFq7yI4c5H.:19029:0:99999:7:::
[root@centos7 ~]#
-------👇如果是空口令是不给你解锁的----
[root@centos7 ~]# useradd ceshi
[root@centos7 ~]# getent passwd ceshi
ceshi:x:1004:1004::/home/ceshi:/bin/bash
[root@centos7 ~]# getent shadow ceshi
ceshi:!!:19029:0:99999:7:::
[root@centos7 ~]# usermod -U ceshi
usermod: unlocking the user's password would result in a passwordless account.
You should set a password with usermod -p to unlock this user's password.
至于两个!!和一个!没啥区别,一来都是锁定。二来只要没有设置密码都不能-U解锁 不过可以vi进去解锁。
当然这个!可以加在passwd里的--通过vi手动加,usermod -L -U都是针对shadow操作,而且要比加在shadow里优先。
其实针对这个 echo "cisco" | passwd --sdtin test 这个非交互是的修改密码,其实我可以这样做
亲测有效稳定。
修改账号有效期
chage比它好
就是shadow文件里单行,倒数第二个字段--账号有效期,倒数第一字段保留字段。
[root@centos7 ~]# getent shadow test
test:!$6$QexkrOWQ$3e85TAtRmiYEMioZOU8QJ7qaD0xCP2lW4Dposctg7evJMRZy3kseNQXD.C21lKtXtqFnzGEhCnbiFq7yI4c5H.:19029:0:99999:7:::
[root@centos7 ~]# usermod -U test
[root@centos7 ~]# usermod -e 2023-12-12 test
[root@centos7 ~]# getent shadow test
test:$6$QexkrOWQ$3e85TAtRmiYEMioZOU8QJ7qaD0xCP2lW4Dposctg7evJMRZy3kseNQXD.C21lKtXtqFnzGEhCnbiFq7yI4c5H.:19029:0:99999:7::19703:
设置密码宽限期
chage比它好
在最大超时时间到期后,你还能用几天
[root@centos7 ~]# getent shadow test
test:$6$QexkrOWQ$3e85TAtRmiYEMioZOU8QJ7qaD0xCP2lW4Dposctg7evJMRZy3kseNQXD.C21lKtXtqFnzGEhCnbiFq7yI4c5H.:19029:0:99999:7::19703:
[root@centos7 ~]# usermod -f 3 test
[root@centos7 ~]# getent shadow test
test:$6$QexkrOWQ$3e85TAtRmiYEMioZOU8QJ7qaD0xCP2lW4Dposctg7evJMRZy3kseNQXD.C21lKtXtqFnzGEhCnbiFq7yI4c5H.:19029:0:99999:7:3:19703:
[root@centos7 ~]#
改时间还是用chage
交互式和非交互是都有
[root@centos7 ~]# chage test
Changing the aging information for test
Enter the new value, or press ENTER for the default
Minimum Password Age [0]:
Maximum Password Age [99999]:
Last Password Change (YYYY-MM-DD) [2022-02-06]:
Password Expiration Warning [7]:
Password Inactive [3]:
Account Expiration Date (YYYY-MM-DD) [2023-12-12]:
[root@centos7 ~]#
[root@centos7 ~]# chage -h
Usage: chage [options] LOGIN
Options:
-d, --lastday LAST_DAY set date of last password change to LAST_DAY
-E, --expiredate EXPIRE_DATE set account expiration date to EXPIRE_DATE
-h, --help display this help message and exit
-I, --inactive INACTIVE set password inactive after expiration
to INACTIVE
-l, --list show account aging information
-m, --mindays MIN_DAYS set minimum number of days before password
change to MIN_DAYS
-M, --maxdays MAX_DAYS set maximum number of days before password
change to MAX_DAYS
-R, --root CHROOT_DIR directory to chroot into
-W, --warndays WARN_DAYS set expiration warning days to WARN_DAYS
[root@centos7 ~]#
------注意-E选项时间格式有点坑---------👇--人工写成YYYY-MM-DD-----
[root@centos7 ~]# chage -E 10 test
[root@centos7 ~]# getent shadow test
test:$6$QexkrOWQ$3e85TAtRmiYEMioZOU8QJ7qaD0xCP2lW4Dposctg7evJMRZy3kseNQXD.C21lKtXtqFnzGEhCnbiFq7yI4c5H.:19029:0:99999:7:3:10:
[root@centos7 ~]# chage -E 2022-12-12 test
[root@centos7 ~]# getent shadow test
test:$6$QexkrOWQ$3e85TAtRmiYEMioZOU8QJ7qaD0xCP2lW4Dposctg7evJMRZy3kseNQXD.C21lKtXtqFnzGEhCnbiFq7yI4c5H.:19029:0:99999:7:3:19338:
[root@centos7 ~]# chage -I 2 test
[root@centos7 ~]# getent shadow test
test:$6$QexkrOWQ$3e85TAtRmiYEMioZOU8QJ7qaD0xCP2lW4Dposctg7evJMRZy3kseNQXD.C21lKtXtqFnzGEhCnbiFq7yI4c5H.:19029:0:99999:7:2:19338:
[root@centos7 ~]#
userdel删除用户
[root@centos7 ~]# ll /home/
total 0
drwx------. 2 ceshi ceshi 83 Feb 6 12:08 ceshi
drwx------. 2 dalao001 dalao001 62 Feb 5 14:54 dalao001
drwx------. 2 ming ming 83 Jan 26 09:44 ming
drwx------. 2 test test 83 Feb 6 12:08 test
drwx------. 2 998 996 62 Feb 5 15:20 test001
drwx------. 2 user1 user1 96 Jan 10 14:16 user1
[root@centos7 ~]#
[root@centos7 ~]#
[root@centos7 ~]# ll /var/spool/mail/
total 0
-rw-rw----. 1 ceshi mail 0 Feb 6 12:06 ceshi
-rw-rw----. 1 dalao001 mail 0 Feb 5 14:54 dalao001
-rw-rw----. 1 ming mail 0 Jan 16 09:28 ming
-rw-rw----. 1 test mail 0 Feb 6 11:57 test
-rw-rw----. 1 user1 mail 0 Jan 10 11:12 user1
[root@centos7 ~]#
[root@centos7 ~]# userdel test
[root@centos7 ~]# ll /home/test -d
drwx------. 2 1003 1003 83 Feb 6 12:08 /home/test
[root@centos7 ~]# ll /var/spool/mail/test -d
-rw-rw----. 1 1003 mail 0 Feb 6 11:57 /var/spool/mail/test # 除了家目录,邮箱也要注意是否删除
[root@centos7 ~]#
------不要以为重新创建test用户能继续关联之前没有删除的家目录和邮箱---那是不可能的👇--因为此用户非彼用户,正所谓去年今日此门中,人面桃花相映红,人面不知何处去,桃花依旧笑春风一句话就是uid变了,要是uid没变还是可以对接回去的,或者你人工修改新建用户名的uid为之前的id就可以对接上了--
[root@centos7 ~]# useradd test
useradd: warning: the home directory already exists.
Not copying any file from skel directory into it.
Creating mailbox file: File exists
[root@centos7 ~]#
[root@centos7 ~]#
[root@centos7 ~]# ll /var/spool/mail/test -d
-rw-rw----. 1 1003 mail 0 Feb 6 11:57 /var/spool/mail/test
[root@centos7 ~]# ll /home/test -d
drwx------. 2 1003 1003 83 Feb 6 12:08 /home/test
[root@centos7 ~]# userdel -r test
userdel: /var/spool/mail/test not owned by test, not removing
userdel: /home/test not owned by test, not removing
[root@centos7 ~]# ll /var/spool/mail/test -d
-rw-rw----. 1 1003 mail 0 Feb 6 11:57 /var/spool/mail/test
[root@centos7 ~]# ll /home/test
test/ test001/
[root@centos7 ~]# ll /home/test -d
drwx------. 2 1003 1003 83 Feb 6 12:08 /home/test
[root@centos7 ~]# userdel -r test
userdel: user 'test' does not exist
-----选项 -r ----👇能够删除用户家目录和邮箱-------
[root@centos7 ~]# useradd test2
[root@centos7 ~]# ll /home/test2 -d
drwx------. 2 test2 test2 62 Feb 6 13:36 /home/test2
[root@centos7 ~]# ll /var/spool/mail/test2 -d
-rw-rw----. 1 test2 mail 0 Feb 6 13:36 /var/spool/mail/test2
[root@centos7 ~]# userdel -r test2
[root@centos7 ~]# ll /home/test2 -d
ls: cannot access /home/test2: No such file or directory
[root@centos7 ~]# ll /var/spool/mail/test2 -d
ls: cannot access /var/spool/mail/test2: No such file or directory
[root@centos7 ~]#
附加,group如果是组里没有其他人,userdel 也会删除组的。
所以这里userdel,要注意 组、家目录、邮箱 信息是否有变化。user没了,group、家目录、邮箱如果在,那么这些文件的属性里的user id都会变成该用户的uid--数字,而不再是原来的用户名。而且1005也只是个空数字,并没有任何用户与其对应。
PATH内容随用户而变
变量变量,它是变的,root和user1的PATH变量的内容是不一样
[root@centos7 ~]# echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin
[user1@centos7 ~]$ echo $PATH
/usr/local/bin:/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/home/user1/.local/bin:/home/user1/bin
[user1@centos7 ~]$
su 切换
su - user1 # 这种切换用户环境一并切换
su # 原地切换,pwd的所在路径都不变
------------完全切换👇----------------
[root@centos7 data]# pwd
/data
[root@centos7 data]# su - user1
Last login: Sun Feb 6 16:10:51 CST 2022 on pts/0
[user1@centos7 ~]$ pwd
/home/user1
[user1@centos7 ~]$ echo $PATH
/usr/local/bin:/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/home/user1/.local/bin:/home/user1/bin
[user1@centos7 ~]$
--------------原地切换👇-pwd和$path都不变的--------------
[root@centos7 data]# su user1
[user1@centos7 data]$ pwd
/data
[user1@centos7 data]$ echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin
[user1@centos7 data]$
--------换个用户执行命令,本身不切换过去----👇--------------
[user1@centos7 data]$ su root -c "getent shadow root"
Password:
root:$6$Kih8C.5/adh8TNjx$wNC09CUb7KsECwLH1LFfAagv8N47OAEqSMHLlOuU.vB24ZzU/H5p6DLpNV31zLKlJioqNmXkIkQEaAUf0H74Z0::0:99999:7:::
[user1@centos7 data]$
su活su - 直接回车就是切root,root参数默认就有
root 切换 普通用户 无需密码
普通用户 切换 root 需要密码
ubuntu默认不让root登入的情况
ubuntu默认root等不了,su 切换要密码,但是没设置过root密码默认就
root的口令情况,你非root用户也看不全
这个时候就的使用sudo命令咯
sudo -i 提示出入的是当前普通用户的口令---👇--
不是每个账号都能sudo 切换到root的,之所以可以是因为系统安装的时候授予了wang账号可以切换。
所以ubuntu这里的!去掉,root就直接无口令登入了
----而且上面知识运行了root本地登入👆-----远程root还是无法登入ubuntu--------
-----👇一般只有系统安装时设置的默认第一个账户才能sudo -i 切成root用户------
passwd的有用选项
[root@centos7 data]# type passwd # 外部命令,就是用--help去查看帮助,当然也可以man
passwd is hashed (/usr/bin/passwd)
[root@centos7 data]# passwd --help
Usage: passwd [OPTION...] <accountName>
-k, --keep-tokens keep non-expired authentication tokens
-d, --delete delete the password for the named account (root only)
-l, --lock lock the password for the named account (root only)
-u, --unlock unlock the password for the named account (root only)
-e, --expire expire the password for the named account (root only)
-f, --force force operation
-x, --maximum=DAYS maximum password lifetime (root only)
-n, --minimum=DAYS minimum password lifetime (root only)
-w, --warning=DAYS number of days warning users receives before password expiration (root only)
-i, --inactive=DAYS number of days after password expiration when an account becomes disabled (root only)
-S, --status report password status on the named account (root only)
--stdin read new tokens from stdin (root only)
Help options:
-?, --help Show this help message
--usage Display brief usage message
-d : 删除密码
-l : 这个和usermode -L一样
-u: 这个和usermode -U一样
-e: 👈这个好,典型应用按理,强制用户首次登入修改密码的。
-n -x -w 这些和chage以及usermod差不多,都可以改,推荐chage或者passwd。
改口令的方法2
echo cisco | passwd --stdin user1 &> /dev/null
这个passwd怎么批量啊?密码和用户都是变量,密码可以放到文件里,cat file |重定向给passwd,问题时用户怎么弄呢?好像没有chpasswd方面呢~注意此处划重点敲黑板👉呢字带尾音~。其他技术问题忽略即可~
[root@centos7 data]# vi change_passwd.sh
[root@centos7 data]#
[root@centos7 data]# . change_passwd.sh # 这里也是个点,放到后面,就是脚本执行的N种方法
Changing password for user user1.
passwd: all authentication tokens updated successfully.
Changing password for user user2.
passwd: all authentication tokens updated successfully.
Changing password for user user3.
passwd: all authentication tokens updated successfully.
[root@centos7 data]#
[root@centos7 data]# cat change_passwd.sh
#!/bin/bash
echo cisco |passwd --stdin user1
echo huawei |passwd --stdin user2
echo juniper |passwd --stdin user3
[root@centos7 data]#
--------👇优化输出-----------
[root@centos7 data]# . change_passwd.sh
[root@centos7 data]#
[root@centos7 data]# cat change_passwd.sh
#!/bin/bash
echo cisco |passwd --stdin user1 > /dev/null
echo huawei |passwd --stdin user2 > /dev/null
echo juniper |passwd --stdin user3 > /dev/null
[root@centos7 data]#
修改shell类型
[root@centos7 data]# getent passwd user1
user1:x:1000:1000::/home/user1:/bin/bash
[root@centos7 data]# chsh -s /sbin/nologin user1
Changing shell for user1.
chsh: Warning: "/sbin/nologin" is not listed in /etc/shells.
Shell changed.
[root@centos7 data]# getent passwd user1
user1:x:1000:1000::/home/user1:/sbin/nologin
[root@centos7 data]# cat /etc/shells
/bin/sh
/bin/bash
/usr/bin/sh
/usr/bin/bash
[root@centos7 data]#
-------- 等价于usermod -s ---------
[root@centos7 data]# getent passwd user2
user2:x:1009:1010::/home/user2:/bin/bash
[root@centos7 data]# usermod -s /sbin/nolgin user2
[root@centos7 data]# getent passwd user2
user2:x:1009:1010::/home/user2:/sbin/nolgin
[root@centos7 data]#
组操作补充
附加组的操作
[root@centos7 data]# id user1
uid=1000(user1) gid=1000(user1) groups=1000(user1)
[root@centos7 data]# usermod -G g11,g12 user1
usermod: group 'g11' does not exist
usermod: group 'g12' does not exist
[root@centos7 data]# groupadd g11
[root@centos7 data]# groupadd g12
[root@centos7 data]# usermod -G g11,g12 user1
[root@centos7 data]# id user1
uid=1000(user1) gid=1000(user1) groups=1000(user1),1013(g11),1014(g12)
[root@centos7 data]#
-------------删除附加组👇-----------
[root@centos7 data]# usermod -G "" user1
[root@centos7 data]# id user1
uid=1000(user1) gid=1000(user1) groups=1000(user1)
[root@centos7 data]#
查看组信息的其他方法
[root@centos7 data]# usermod -G g11,g12 user1
[root@centos7 data]# groups user1
user1 : user1 g11 g12
[root@centos7 data]#
[root@centos7 data]# gpasswd --help
Usage: gpasswd [option] GROUP
Options:
-a, --add USER add USER to GROUP
-d, --delete USER remove USER from GROUP
-h, --help display this help message and exit
-Q, --root CHROOT_DIR directory to chroot into
-r, --delete-password remove the GROUP's password
-R, --restrict restrict access to GROUP to its members
-M, --members USER,... set the list of members of GROUP
-A, --administrators ADMIN,...
set the list of administrators for GROUP
Except for the -A and -M options, the options cannot be combined.
[root@centos7 data]# gpasswd -a user1 root
Adding user user1 to group root
[root@centos7 data]# id user1
uid=1000(user1) gid=1000(user1) groups=1000(user1),0(root),1013(g11),1014(g12)
[root@centos7 data]#
有时候发现直接图片更好看一些,要不还是放弃cli复制了,直接图片吧,补充关键字就好。
给组设置口令
某个普通用户要加入某个组,就用到了组密码
id user1
su - user1
touch file1
ll file1
希望创建的文件主组时g12,可修改user1的主组为g12,
newgrp g12 user1
-------👆 上图的newgrp时临时有效的,exit后就退出来临时的主组了,👇见下图------
root一样可以
永久的修改就用usermod -g
一些操作排查踩坑记录
因为user3创建之前就有同名的家目录,所以带来一些问题:这也是su user3为什么显示-bash-4.2$ 的原因
查看附加组
[root@centos7 ~]# id ming
uid=1001(ming) gid=1001(ming) groups=1001(ming)
[root@centos7 ~]#
[root@centos7 ~]#
[root@centos7 ~]# groupmems --help
Usage: groupmems [options] [action]
Options:
-g, --group groupname change groupname instead of the user's group
(root only)
-R, --root CHROOT_DIR directory to chroot into
Actions:
-a, --add username add username to the members of the group
-d, --delete username remove username from the members of the group
-h, --help display this help message and exit
-p, --purge purge all members from the group
-l, --list list the members of the group
[root@centos7 ~]# groupmems -l -g ming
[root@centos7 ~]# groupadd g1
[root@centos7 ~]# groupadd g2
[root@centos7 ~]# groupadd g3
[root@centos7 ~]# usermod -G ming g1,g2,g3
usermod: user 'g1,g2,g3' does not exist
[root@centos7 ~]# usermod -G ming g1 g2 g3
[root@centos7 ~]# usermod -G g1,g2,g3 ming # 注意次序
[root@centos7 ~]# id ming
uid=1001(ming) gid=1001(ming) groups=1001(ming),1015(g1),1016(g2),1017(g3)
[root@centos7 ~]# groupmes -l -g ming
-bash: groupmes: command not found
[root@centos7 ~]# groupmems -l -g ming
[root@centos7 ~]# groupmems -l -g g1 # 这是以某个组为线索看谁把它作为附加组了
ming
[root@centos7 ~]# groupmems -l -g g2
ming
[root@centos7 ~]# groupmems -l -g g3
ming
[root@centos7 ~]#
-----如果本身就是group的附加组,newgrp直接切成主组 无需密码-----👇----
[11:41:27 root@localhost ~]#usermod -G g12 user1
[11:41:43 root@localhost ~]#id user1
uid=1008(user1) gid=1009(user1) groups=1009(user1),1013(g12)
[11:41:47 root@localhost ~]#id
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[11:41:48 root@localhost ~]#su - user1
Last login: Mon Jan 17 20:48:42 CST 2022 on pts/0
[11:41:55 user1@localhost ~]$id
uid=1008(user1) gid=1009(user1) groups=1009(user1),1013(g12) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[11:42:01 user1@localhost ~]$id user1
uid=1008(user1) gid=1009(user1) groups=1009(user1),1013(g12)
[11:42:03 user1@localhost ~]$newgrp g12
[11:42:09 user1@localhost ~]$id
uid=1008(user1) gid=1013(g12) groups=1013(g12),1009(user1) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[11:42:10 user1@localhost ~]$exit
exit
[11:42:25 user1@localhost ~]$exit
logout
[11:42:29 root@localhost ~]#groupmems -l -g g12
user1
[11:42:35 root@localhost ~]#
删除附加组成员
[11:42:29 root@localhost ~]#groupmems -l -g g12
user1
[11:45:06 root@localhost ~]#groupmems -l -g g12
user1
[11:45:08 root@localhost ~]#id user1
uid=1008(user1) gid=1009(user1) groups=1009(user1),1013(g12)
[11:45:24 root@localhost ~]#groupmems -d user1 -g g12
[11:45:30 root@localhost ~]#id user1
uid=1008(user1) gid=1009(user1) groups=1009(user1)
[11:45:32 root@localhost ~]#
这个只是附加组里的成员
[11:47:07 root@localhost ~]#groupmems -d user1 -g user1
groupmems: user 'user1' is not a member of 'user1'
[11:47:12 root@localhost ~]#id user1
uid=1008(user1) gid=1009(user1) groups=1009(user1)
其实usermod就挺好,方法有点多,哈哈
[11:49:06 root@localhost ~]#id user1
uid=1008(user1) gid=1009(user1) groups=1009(user1),1014(g13)
[11:49:08 root@localhost ~]#usermod -G g12,g13 user1
[11:49:19 root@localhost ~]#id user1
uid=1008(user1) gid=1009(user1) groups=1009(user1),1013(g12),1014(g13)
[11:49:21 root@localhost ~]#usermod -G g12 user1
[11:49:46 root@localhost ~]#id user1
uid=1008(user1) gid=1009(user1) groups=1009(user1),1013(g12)
[11:49:48 root@localhost ~]#
清空组中所有成员
工具各有所长
[11:51:22 root@localhost ~]#id user1
uid=1008(user1) gid=1009(user1) groups=1009(user1),1013(g12)
[11:51:24 root@localhost ~]#usermod -G g12 user2
[11:51:44 root@localhost ~]#usermod -G g12 user3
[11:51:46 root@localhost ~]#id user1
uid=1008(user1) gid=1009(user1) groups=1009(user1),1013(g12)
[11:51:48 root@localhost ~]#id user2
uid=1009(user2) gid=1010(user2) groups=1010(user2),1013(g12)
[11:51:48 root@localhost ~]#id user3
uid=1010(user3) gid=1011(user3) groups=1011(user3),1013(g12)
[11:51:49 root@localhost ~]#
[11:51:49 root@localhost ~]#groupmems -l -g g12
user1 user2 user3
[11:51:57 root@localhost ~]#
情况附加组成员就用groupmems
[11:51:49 root@localhost ~]#groupmems -l -g g12
user1 user2 user3
[11:51:57 root@localhost ~]#
[11:52:28 root@localhost ~]#groupmems -p -g g12
[11:52:53 root@localhost ~]#groupmems -l -g g12
[11:52:56 root@localhost ~]#id user1
uid=1008(user1) gid=1009(user1) groups=1009(user1)
[11:52:59 root@localhost ~]#id user2
uid=1009(user2) gid=1010(user2) groups=1010(user2)
[11:53:02 root@localhost ~]#id user3
uid=1010(user3) gid=1011(user3) groups=1011(user3)
[11:53:02 root@localhost ~]#
不知道主组成员能不能清
[11:53:55 root@localhost ~]#usermod -g g12 user1
[11:54:03 root@localhost ~]#id user1
uid=1008(user1) gid=1013(g12) groups=1013(g12)
[11:54:05 root@localhost ~]#groupmems -l -g g12
[11:54:18 root@localhost ~]#groupmems -p -g g12
[11:54:35 root@localhost ~]#groupmems -l -g g12
[11:54:35 root@localhost ~]#
--------👆肯定不能了,主组是不归groupmems管的-----------
useradd\usermod\userdel基本上这些事都能做,
groupmems这个命令有问题啊
[root@centos7 ~]# id user1
uid=1000(user1) gid=1000(user1) groups=1000(user1),1014(g12)
[root@centos7 ~]# whatis groupmems
groupmems (8) - administer members of a user's primary group
[root@centos7 ~]# groupmems -l -g user1
[root@centos7 ~]# groupmems -l -g g12
user1
[root@centos7 ~]#
---------毛的primary group,它就是个附加组管理工具------------👆------------
练习
创建用户cacti,附加组为bin和root,默认shell为/bin/csh,注释信息为"i am a cacti"
useradd -s /bin/csh -G bin,root -c "i am a cacti" cacti
[root@centos7 ~]# useradd -s /bin/csh -G bin,root -c "i am a cacti" cacti
[root@centos7 ~]# id cacti
uid=1007(cacti) gid=1007(cacti) groups=1007(cacti),0(root),1(bin)
[root@centos7 ~]# getent passwd cacti
cacti:x:1007:1007:i am a cacti:/home/cacti:/bin/csh
[root@centos7 ~]# finger cacti
Login: cacti Name: i am a cacti
Directory: /home/cacti Shell: /bin/csh
Never logged in.
No mail.
No Plan.
[root@centos7 ~]#
创建下面的用户、组和组成员关系,
名字为webs的组,
用户nginx,使用webs作为附加组
用户varnish,使用webs作为附加组
用户mysql,不可交互登入西路,且不是webs的成员
nginx,varnish,mysql密码都是cisco
groupadd webs
useradd -G webs nginx
useradd -G webs varnish
useradd -s /sbin/nologin mysql
cat << EOF >p.set
nginx:cisco
varnish:cisco
mysql:cisco
EOF
cat p.set |chpasswd
---------------------------👇检查下,效果杠杠的-----------------------
--------👆上面讲了用户和组,👇下面开始整理文件针对这些用户和组的权限-------
QoS, diff serv (打标\分类+后面的管制、限速、队列)也是这个道理,区别对待,上面的用户和组就是区别,下面针对这些人设置对应文件的访问就是对待。
文件权限
chown修改文件所属
[root@centos7 ~]# touch /data/f1
[root@centos7 ~]# su - user1
Last login: Mon Feb 7 12:33:30 CST 2022 on pts/0
[user1@centos7 ~]$ ll /data/f1
-rw-r--r--. 1 root root 0 Feb 7 12:33 /data/f1
[user1@centos7 ~]$ cat /data/f1
[user1@centos7 ~]$ echo 111 > /data/f1
-bash: /data/f1: Permission denied
-------👆user1作为other没有f1的写权限-----------
-------👇chown就可以修改文件的所有者和所属组,好像也用不到chgrp-------
[user1@centos7 ~]$
[user1@centos7 ~]$ exit
logout
[root@centos7 ~]# chown user1 /data/f1
[root@centos7 ~]# ll /data/f1
-rw-r--r--. 1 user1 root 0 Feb 7 12:33 /data/f1
[root@centos7 ~]# chown :g12 /data/f1
[root@centos7 ~]# ll /data/f1
-rw-r--r--. 1 user1 g12 0 Feb 7 12:33 /data/f1
[root@centos7 ~]# ll /data/f1
-rw-r--r--. 1 user1 g12 0 Feb 7 12:33 /data/f1
[root@centos7 ~]# chown root:g13 /data/f1
chown: invalid group: ‘root:g13’
[root@centos7 ~]# chown root:g1 /data/f1
[root@centos7 ~]# ll /data/f1
-rw-r--r--. 1 root g1 0 Feb 7 12:33 /data/f1
[root@centos7 ~]# chown user1.g12 /data/f1
[root@centos7 ~]# ll /data/f1
-rw-r--r--. 1 user1 g12 0 Feb 7 12:33 /data/f1
--------👇chgrp就是文件属组----------
[root@centos7 ~]# chgrp g2 /data/f1
[root@centos7 ~]# ll /data/f1
-rw-r--r--. 1 user1 g2 0 Feb 7 12:33 /data/f1
[root@centos7 ~]#
chmod修改文件权限
模式法:
chmod who opt per file
who: u,g,o,a
opt: +,-,=
per: r,w,x
去掉文件的所有者r权限:chmod u-r file
[user1@centos7 ~]$ ll
total 4
-rw-rw-r--. 1 user1 user1 0 Feb 6 20:23 file1
[user1@centos7 ~]$ chmod u-r file1
[user1@centos7 ~]$ ll
total 4
--w-rw-r--. 1 user1 user1 0 Feb 6 20:23 file1
[user1@centos7 ~]$
---------此时再看👇user1用户对file1的权限的情况-----------
[user1@centos7 ~]$ cat file1
cat: file1: Permission denied
[user1@centos7 ~]$ echo xx >> file1
[user1@centos7 ~]$ ll
total 8
--w-rw-r--. 1 user1 user1 3 Feb 7 13:43 file1
-rwxrwxrwx. 1 root root 839 Jan 10 14:20 fstab
[user1@centos7 ~]$
-----------可见👆权限是所属者适用就只看所属者了---------------
---------------user>group>other-----3个权限只一个有效---------
[root@centos7 ~]# chmod u=-,g=r,o=rwx /data/f1
[root@centos7 ~]# ll /data/f1
----r--rwx. 1 user1 g2 3 Feb 7 13:48 /data/f1
[root@centos7 ~]# su user1
[user1@centos7 root]$ cat /data/f1
cat: /data/f1: Permission denied
[user1@centos7 root]$ echo xx > /data/f1
bash: /data/f1: Permission denied
[user1@centos7 root]$ exit
exit
[root@centos7 ~]# su user2
[user2@centos7 root]$ cat /data/f1
11
[user2@centos7 root]$ echo xx > /data/f1
[user2@centos7 root]$ cat /data/f1
xx
[user2@centos7 root]$
--------------user1的文件权限user1自然可以加回去-------👇---
[user1@centos7 root]$ ll /data/f1
----r--rwx. 1 user1 g2 3 Feb 7 13:52 /data/f1
[user1@centos7 root]$ chmod u=rwx /data/f1
[user1@centos7 root]$ ll /data/f1
-rwxr--rwx. 1 user1 g2 3 Feb 7 13:52 /data/f1
[user1@centos7 root]$ cat /data/f1
xx
[user1@centos7 root]$ echo yy >> /data/f1
[user1@centos7 root]$ cat /data/f1
xx
yy
[user1@centos7 root]$
----------非文件拥有者自然不能修改该文件的属性👇-------------
[root@centos7 ~]# su user2
[user2@centos7 root]$ ll /data/f1
-rwxr--rwx. 1 user1 g2 6 Feb 7 13:53 /data/f1
[user2@centos7 root]$ chmod u=rx /data/f1
chmod: changing permissions of ‘/data/f1’: Operation not permitted
[user2@centos7 root]$ chmod g=- /data/f1
chmod: changing permissions of ‘/data/f1’: Operation not permitted
[user2@centos7 root]$
[root@centos7 ~]# chmod a=rwx /data/f1
[root@centos7 ~]# ll /data/f1
-rwxrwxrwx. 1 user1 g2 6 Feb 7 13:53 /data/f1
[root@centos7 ~]# chmod a=- /data/f1
[root@centos7 ~]# ll /data/f1
----------. 1 user1 g2 6 Feb 7 13:53 /data/f1
[root@centos7 ~]# chmod a=r /data/f1
[root@centos7 ~]# ll /data/f1
-r--r--r--. 1 user1 g2 6 Feb 7 13:53 /data/f1
[root@centos7 ~]# chmod a= /data/f1
[root@centos7 ~]# ll /data/f1
----------. 1 user1 g2 6 Feb 7 13:53 /data/f1
[root@centos7 ~]#
------------谁都不行,root还行👇------root超脱🐟权限除了x执行权限-----
[root@centos7 ~]# chown root.root /data/f1
[root@centos7 ~]# ll /data/f1
----------. 1 root root 9 Feb 7 13:59 /data/f1
[root@centos7 ~]# cat /data/f1
xx
yy
zz
[root@centos7 ~]# echo ee >> /data/f1
[root@centos7 ~]# cat /data/f1
xx
yy
zz
ee
[root@centos7 ~]#
---------👇--执行权限root要是没有的,也不行,root也就rw读写不受权限影响-----
[root@centos7 ~]# ll /bin/cat
-rwxr-xr-x. 1 root root 54080 Aug 20 2019 /bin/cat
[root@centos7 ~]#
[root@centos7 ~]# chow a-x /bin/cat
-bash: chow: command not found
[root@centos7 ~]# chmod a-x /bin/cat
[root@centos7 ~]# ll /bin/cat
-rw-r--r--. 1 root root 54080 Aug 20 2019 /bin/cat
[root@centos7 ~]# cat /data/f1
-bash: /usr/bin/cat: Permission denied
[root@centos7 ~]# /bin/cat /data/f1
-bash: /bin/cat: Permission denied
[root@centos7 ~]# chmod +x /bin/cat # 这里等价于a+x
[root@centos7 ~]# cat /data/f1
xx
yy
zz
ee
-------👇----root比较牛逼,只要u、g、o里一个角色有执行权限,那他就有权限了---------
[root@centos7 ~]# ll /bin/cat
-rwxr-xr-x. 1 root root 54080 Aug 20 2019 /bin/cat
[root@centos7 ~]# chmod u-x,g-x /bin/cat
[root@centos7 ~]# ll /bin/cat
-rw-r--r-x. 1 root root 54080 Aug 20 2019 /bin/cat
[root@centos7 ~]# cat /data/f1
xx
yy
zz
ee
[root@centos7 ~]#
修改目录下所有文件和子目录的权限,这个R特别的坑和rm也差不多了
[root@centos7 ~]# ll /data/
total 8
-rw-r--r--. 1 root root 151 Feb 6 19:31 change_passwd.sh
----------. 1 root root 12 Feb 7 14:19 f1
-rw-r--r--. 1 root root 0 Feb 7 14:19 f10
-rw-r--r--. 1 root root 0 Feb 7 14:19 f11
-rw-r--r--. 1 root root 0 Feb 7 14:19 f12
-rw-r--r--. 1 root root 0 Feb 7 14:19 f13
-rw-r--r--. 1 root root 0 Feb 7 14:19 f14
-rw-r--r--. 1 root root 0 Feb 7 14:19 f15
-rw-r--r--. 1 root root 0 Feb 7 14:19 f16
-rw-r--r--. 1 root root 0 Feb 7 14:19 f17
-rw-r--r--. 1 root root 0 Feb 7 14:19 f18
-rw-r--r--. 1 root root 0 Feb 7 14:19 f19
-rw-r--r--. 1 root root 0 Feb 7 14:19 f2
-rw-r--r--. 1 root root 0 Feb 7 14:19 f20
-rw-r--r--. 1 root root 0 Feb 7 14:19 f3
-rw-r--r--. 1 root root 0 Feb 7 14:19 f4
-rw-r--r--. 1 root root 0 Feb 7 14:19 f5
-rw-r--r--. 1 root root 0 Feb 7 14:19 f6
-rw-r--r--. 1 root root 0 Feb 7 14:19 f7
-rw-r--r--. 1 root root 0 Feb 7 14:19 f8
-rw-r--r--. 1 root root 0 Feb 7 14:19 f9
[root@centos7 ~]# chmod a+x -R /data/
[root@centos7 ~]# ll /data/ -d
drwxr-xr-x. 2 root root 241 Feb 7 14:19 /data/
[root@centos7 ~]# ll /data/
total 8
-rwxr-xr-x. 1 root root 151 Feb 6 19:31 change_passwd.sh
---x--x--x. 1 root root 12 Feb 7 14:19 f1
-rwxr-xr-x. 1 root root 0 Feb 7 14:19 f10
-rwxr-xr-x. 1 root root 0 Feb 7 14:19 f11
-rwxr-xr-x. 1 root root 0 Feb 7 14:19 f12
-rwxr-xr-x. 1 root root 0 Feb 7 14:19 f13
-rwxr-xr-x. 1 root root 0 Feb 7 14:19 f14
-rwxr-xr-x. 1 root root 0 Feb 7 14:19 f15
-rwxr-xr-x. 1 root root 0 Feb 7 14:19 f16
-rwxr-xr-x. 1 root root 0 Feb 7 14:19 f17
-rwxr-xr-x. 1 root root 0 Feb 7 14:19 f18
-rwxr-xr-x. 1 root root 0 Feb 7 14:19 f19
-rwxr-xr-x. 1 root root 0 Feb 7 14:19 f2
-rwxr-xr-x. 1 root root 0 Feb 7 14:19 f20
-rwxr-xr-x. 1 root root 0 Feb 7 14:19 f3
-rwxr-xr-x. 1 root root 0 Feb 7 14:19 f4
-rwxr-xr-x. 1 root root 0 Feb 7 14:19 f5
-rwxr-xr-x. 1 root root 0 Feb 7 14:19 f6
-rwxr-xr-x. 1 root root 0 Feb 7 14:19 f7
-rwxr-xr-x. 1 root root 0 Feb 7 14:19 f8
-rwxr-xr-x. 1 root root 0 Feb 7 14:19 f9
[root@centos7 ~]#
[root@centos7 ~]# ll /data/
total 8
-rw-r--r--. 1 root root 151 Feb 6 19:31 change_passwd.sh
----------. 1 root root 12 Feb 7 14:19 f1
-rw-r--r--. 1 root root 0 Feb 7 14:19 f10
-rw-r--r--. 1 root root 0 Feb 7 14:19 f11
-rw-r--r--. 1 root root 0 Feb 7 14:19 f12
-rw-r--r--. 1 root root 0 Feb 7 14:19 f13
-rw-r--r--. 1 root root 0 Feb 7 14:19 f14
-rw-r--r--. 1 root root 0 Feb 7 14:19 f15
-rw-r--r--. 1 root root 0 Feb 7 14:19 f16
-rw-r--r--. 1 root root 0 Feb 7 14:19 f17
-rw-r--r--. 1 root root 0 Feb 7 14:19 f18
-rw-r--r--. 1 root root 0 Feb 7 14:19 f19
-rw-r--r--. 1 root root 0 Feb 7 14:19 f2
-rw-r--r--. 1 root root 0 Feb 7 14:19 f20
-rw-r--r--. 1 root root 0 Feb 7 14:19 f3
-rw-r--r--. 1 root root 0 Feb 7 14:19 f4
-rw-r--r--. 1 root root 0 Feb 7 14:19 f5
-rw-r--r--. 1 root root 0 Feb 7 14:19 f6
-rw-r--r--. 1 root root 0 Feb 7 14:19 f7
-rw-r--r--. 1 root root 0 Feb 7 14:19 f8
-rw-r--r--. 1 root root 0 Feb 7 14:19 f9
[root@centos7 ~]# chown -R user1 /data/
[root@centos7 ~]# ll /data/
total 8
-rw-r--r--. 1 user1 root 151 Feb 6 19:31 change_passwd.sh
----------. 1 user1 root 12 Feb 7 14:19 f1
-rw-r--r--. 1 user1 root 0 Feb 7 14:19 f10
-rw-r--r--. 1 user1 root 0 Feb 7 14:19 f11
-rw-r--r--. 1 user1 root 0 Feb 7 14:19 f12
-rw-r--r--. 1 user1 root 0 Feb 7 14:19 f13
-rw-r--r--. 1 user1 root 0 Feb 7 14:19 f14
-rw-r--r--. 1 user1 root 0 Feb 7 14:19 f15
-rw-r--r--. 1 user1 root 0 Feb 7 14:19 f16
-rw-r--r--. 1 user1 root 0 Feb 7 14:19 f17
-rw-r--r--. 1 user1 root 0 Feb 7 14:19 f18
-rw-r--r--. 1 user1 root 0 Feb 7 14:19 f19
-rw-r--r--. 1 user1 root 0 Feb 7 14:19 f2
-rw-r--r--. 1 user1 root 0 Feb 7 14:19 f20
-rw-r--r--. 1 user1 root 0 Feb 7 14:19 f3
-rw-r--r--. 1 user1 root 0 Feb 7 14:19 f4
-rw-r--r--. 1 user1 root 0 Feb 7 14:19 f5
-rw-r--r--. 1 user1 root 0 Feb 7 14:19 f6
-rw-r--r--. 1 user1 root 0 Feb 7 14:19 f7
-rw-r--r--. 1 user1 root 0 Feb 7 14:19 f8
-rw-r--r--. 1 user1 root 0 Feb 7 14:19 f9
[root@centos7 ~]#
[root@centos7 ~]# ll /data/ -d
drw-r--r--. 2 user1 root 241 Feb 7 14:19 /data/
-------坑在这里👇-----
rm -rf / data #小手一抖,空格全没有
chmod -R a=rwx / data #小手再都,大妈食堂有
------👆你把/根下所有的文件夹和子文件权限都弄了,更狠的来了👇----
chown -R user1 / data #/根下所有文件夹和文件所有者都变成了user1了
参考别的文件设置同样的用户和组,以及权限
[root@centos7 ~]# ll /etc/fstab
-rw-r--r--. 1 root root 595 Jan 5 17:41 /etc/fstab
[root@centos7 ~]# ll /data/f1
----------. 1 user1 root 12 Feb 7 14:19 /data/f1
[root@centos7 ~]# chown --reference /etc/fstab /data/f1
[root@centos7 ~]# ll /data/f1
----------. 1 root root 12 Feb 7 14:19 /data/f1
[root@centos7 ~]# chmod --reference /etc/fstab /data/f1
[root@centos7 ~]# ll /data/f1
-rw-r--r--. 1 root root 12 Feb 7 14:19 /data/f1
[root@centos7 ~]#